ldap authetification question

pam-list@redhat.com (Michael Kress) · Sun, 9 Jun 2002 15:47:36 +0200 (CEST)

Hello,

I tried to implement authentification to ldap via pam_ldap and I'm encountering
problems - I wonder if you could be a help to my problem:

The problem in brief: After a conversion towards pam_ldap I can't login
anymore into my machine when the ldap server isn't started.
Imagine the scenario: The machine boots (normally it doesn't) ;-) and it
can't mount /var, so the slapd can't start up.

As far as I've understood the sense of /etc/nsswitch.conf it determines the
order of usage of fall back services, i.e. if one service fails, the next one
will be consulted, and so on...

So, my nsswitch.conf looks like:
...
passwd:     files nisplus nis ldap
shadow:     files nisplus nis ldap
group:      files nisplus nis ldap
...

(I tried some variations like: ldap files, etc.)

Since I'm using redhat 7.2 I used authconfig which generated this
file: /etc/pam.d/system-auth ... after I instructed it to use ldap for
authentification:
--------------------------------------------------------------------------------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     required      /lib/security/pam_ldap.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok nis
password    sufficient    /lib/security/pam_ldap.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so
--------------------------------------------------------------------------------

So, I can login without any problems, no matter if this user is located in
/etc/passwd or in the ldap People database, but when I stop slapd, I can't
even log in as a /etc/passwd user (e.g. even root!). 
Fortunaley I had a couple of other root shells open to this machine. :)
Is there any way to achieve this, to be able to login with a stopped slapd ?
Besides the HOWTOS, is there any documentation which handles exactly this
problem ?

Thanks in advance for your help!

    Michael

-- 
Michael Kress / kress@hal.saar.de / please use pgp (key on hp)
http://www.michael-kress.de / http://kress.net
To increase system performance press CTRL+D now.
P E N G U I N S   A R E   C O O L.